So I understand grok patterns to be regex queries (Like DNS names for IP addresses). I am trying to build some patterns for the following log entries.

New Node: Issue: Semalt Project  Spam Bot Network: LLC "McLaut-Invest"
Abuse unresolved for 75 days: host:  / Liberty Global
New Node: Issue:   Intelligence Bot Network: Unknown
New Node: Issue:   Intelligence Bot Network: Unknown
New Node: Issue:   Intelligence Bot Network: Unknown
New Node: Issue:  Login Brute Force Bot Network: No.31,Jin-ro
New Node: Issue:   Intelligence Bot Network: ADVANCEDHOS
New Node: Issue: Orphan  Scanner Network: SimpleLink LLC
New Node: Issue: Fake Referrer Log  Bot Network:  / T:…
New Node: Issue: Shellshock Exploiter Bot (shell  Download and

I want to carve these into the following fields:
IP Address

I've managed to build two, reason and IP address:

WIBSREASON ((New Node: ?)|Abuse unresolved for [0-9]?[0-9][0-9]? days: ?)
WIBSIP ([0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?)

However, I am having a problem figuring out how to create one for Issue and one for Network, without including the words Issue or Network. The problem I am having is delineating where Issue should stop. Any grok gurus out there that can help me? Also, FYI, the number of spaces between issue and the next work varies between one and three spaces....if that matters any.

Hi Walker,

The way I see it is that you have just two patterns, which need to be parsed.

The first pattern being the following:

and the second as:

You could use the patterns included in GROK to parse this data, however please note that GROK is case sensitive. You should ideally be aware of the number of spaces or write a custom regex patterns to parse multiple spaces. Here is a sample pattern i wrote to parse the data. You can easily reuse the same logic to parse the other data as well.


You can use the grok constructor included in xpack basic to create this pattern. Or you can use the grok debugger app (

Here is a list of patterns predefined.


I appreciate your time but I have four fields, not two. Using the first event in the OP, I'd like to parse it out to:

FieldName Value
Reason New Node
IP Address
Issue Semalt Project Spam Bot
Network LLC "McLaut-Invest"

This then lets me further build out using geoip filtering on the IP address or analysis of the Issue field. I've got a workaround at the moment that involves regex and then mutate's gsub to remove all the crap I don't want...but, as you can see below, it's a lot of extra stuff and seems kinda hacky.

  if [user][screen_name] == "WebironBots" {
    if [extended_tweet][full_text] {
      ruby {
        code => "event.set('event', event.get('[extended_tweet][full_text]').scan(/New Node|Abuse unresolved for [0-9][0-9]?[0-9]? days/i))
                 event.set('ip_address', event.get('[extended_tweet][full_text]').scan(/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?/i))
                 event.set('issue', event.get('[extended_tweet][full_text]').scan(/Issue.*/i))
                 event.set('network', event.get('[extended_tweet][full_text]').scan(/Network.*/i))"
  } else {
      ruby {
        code => "event.set('event', event.get('text_original').scan(/New Node|Abuse unresolved for [0-9][0-9]?[0-9]? days/i))
                 event.set('ip_address', event.get('text_original').scan(/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?/i))
                 event.set('issue', event.get('text_original').scan(/Issue.*/i))
                 event.set('network', event.get('text_original').scan(/Network.*/i))"
    geoip {
      source => "ip_address"
      fields => [
      tag_on_failure => false
    mutate {
      gsub => [
        "issue", "Issue:\s*|Network.*|https?:\/\/\S* |\#", "",
        "network", "Network:\s*|https?:\/\/\S* |\#", ""
      add_field => {
        "coordinates" => "%{[geoip][latitude]}, %{[geoip][longitude]}"

Hi Walker,

I realize that, and if you notice my expression written, it does parse out 4 fields in total. I will rewrite to explain it better.


Hope this helps. Let me know if you need any more help.


This is what I get for half paying attention facepalm. Thanks for the help NerdSec.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.